99% of NASA’s portable devices are unencrypted

An unencrypted laptop containing control codes for the International Space …

NASA could stand to tighten up the security of its data, according to a report filed with the US House of Representatives Wednesday. Virtually none of the agency's portable devices are encrypted, and 48 of them were lost or stolen between April 2009 and April 2011. One of those was an unencrypted notebook containing algorithms to command and control the International Space Station.

The report notes that while around 54 percent of devices used government-wide are encrypted, only 1 percent of NASA's devices are encrypted as of February 2012. Even worse for the agency's information security, its security experts aren't even certain how much sensitive data has been lost, as their reports rely on those who lost the devices to self-report what was lost, rather than requiring a check of backed up files.

Lost hardware is not the least of NASA's problems, either: the report also addresses cyber attacks often launched against the agency, called advanced persistent threats. When the agency itself checked for security vulnerabilities, it found several security holes in support systems for the Space Shuttle and International Space Station. Through those holes, an attacker can gain control of the system or "render it unavailable."

A November 2011 attack on the Jet Propulsion Lab by Chinese-based IP addresses gave unauthorized users "full functional control" over the networks, including the ability to modify, copy, or delete sensitive files and add, modify, or delete user accounts for "mission-critical" JPL systems. That incident is still under investigation.

35 Reader Comments

This is rediculous. I work for the USDA we have to encrypt cell phones and laptops. Period. No exceptions. If you can't encrypt it it cant be used. How does Nasa not have to follow the same protocols as the usda.

I continue to be confused about how these devices can be "lost".....On one hand, as an administrator, I have to admit that I've "lost" equipment, because I can't follow all of my users around to keep track of all of the devices which we issue.

From the other perspective, however, it just doesn't make sense to me....."Hey, boss, this is kind of embarrassing, but I've misplaced my laptop....."

1. Proprietary/sensitive data should never be stored directly on laptops.2. Laptop hard drives need to be encrypted. You can do this for free easily with TrueCrypt. And I believe Windows 7 supports hard drive encryption out of the box as well now.3. The control codes should rotate with a multi-step authentication system.4. NASA should hire me to shore up their InfoSec department.

I continue to be confused about how these devices can be "lost".....On one hand, as an administrator, I have to admit that I've "lost" equipment, because I can't follow all of my users around to keep track of all of the devices which we issue.

From the other perspective, however, it just doesn't make sense to me....."Hey, boss, this is kind of embarrassing, but I've misplaced my laptop....."

Easy, someone steals it. If you have never had anything stolen from you in your life, I would say you are lucky.

You my friend are in te frontline in protecting our most precious resource: cheeseburgers. Therefore it is entirely understandable that the USDA would require such a strict protocol. Everthing else IS SECONDARY, yes even NASA.

This is news to me. I have a friend who works at the Jet Propulsion Laboratory, and he said that JPL started encrypting all laptop hard drives some time ago. I would expect those laptops to account for more than 1% of all of NASA's portable devices, which makes me wonder about that 99% figure.

Why should most of their data be encrypted? With the exception of a few things like HR information and passwords to systems/spacecraft, the majority of the data they handle should be public domain anyway. Deciding which information is important and protecting it well is shown to improve security over blanket rules that apply to mundane and sensitive information alike.

They should be take to task over the important stuff they didn't protect, but not over meaningless metrics like number of unencrypted devices.

Another reason why private sector space exploration would be more effective. Any contractor that is this lax on security would lose their contracts immediately and more secure contractors would be used in the future. Instead, we have this big, unaccountable and bureaucratic institution where entry level jobs require a minimum of PhD and years of experience.

This is news to me. I have a friend who works at the Jet Propulsion Laboratory, and he said that JPL started encrypting all laptop hard drives some time ago. I would expect those laptops to account for more than 1% of all of NASA's portable devices, which makes me wonder about that 99% figure.

JPL has an interesting relationship with NASA. It *is* a NASA Research Center but almost none of the employees are NASA employees. They are actually employed by Caltech (or are contractors). JPL doesn't (usually) get to participate in volume license purchases with other NASA centers. JPL negotiated its own ODIN contract separate from NASA. So when you see figures for "NASA" they may not necessarily include data from JPL.

Also, depending on your friend's definition of "some time ago" he is wrong. I worked at JPL for 16 years, up until Dec. 2009, and full disk encryption was *just* being discussed when I left and it wasn't being implemented except by the users themselves (by some of the more knowledgeable employees).

And about this article, I doubt some of the claims about the November 2011 attack on the Jet Propulsion Lab giving 'unauthorized users "full functional control" over the networks' and the ability to 'add, modify, or delete user accounts for "mission-critical" systems'. Perhaps the employee network but then this wouldn't fit the usage of "full functional control over the networks" nor "mission-critical". I haven't spoken to my friends, still at JPL, about this attack but I suspect the fltops network was not compromised.

Another reason why private sector space exploration would be more effective.

That's debatable.

ahugeblunt wrote:

Any contractor that is this lax on security would lose their contracts immediately and more secure contractors would be used in the future. Instead, we have this big, unaccountable and bureaucratic institution where entry level jobs require a minimum of PhD and years of experience.

I think you are confusing NASA with a DOD institution. Very little of NASA's data is DOD classified. Most is ITAR and Proprietary or SBU; however, I cannot comment on whether or not it would violate a space act agreement and require contract termination.

Your statement about hiring practices is completely and totally false. Interns and co-ops are regularly hired (when not under a hiring freeze) as well as fresh-out bachelor's grads. Most GS-10 + are hired based off of experience. Most PhD's in the NASA engineering world are not held in that high of esteem. In my tenure at Marshall in the engineering group, we only hired a few PhD's with 20+ years of experience. All others, which constitutes the vast majority, were fresh-outs or less than 5 years of experience.

Another reason why private sector space exploration would be more effective. Any contractor that is this lax on security would lose their contracts immediately and more secure contractors would be used in the future. Instead, we have this big, unaccountable and bureaucratic institution where entry level jobs require a minimum of PhD and years of experience.

You appear to be living under the assumption that private contractors don't do work for NASA. This is an extremely false assumption, a large fraction of the people who "work at NASA" are in fact contractors working for other companies paid by NASA to do the work.

1. Proprietary/sensitive data should never be stored directly on laptops.2. Laptop hard drives need to be encrypted. You can do this for free easily with TrueCrypt. And I believe Windows 7 supports hard drive encryption out of the box as well now.3. The control codes should rotate with a multi-step authentication system.4. NASA should hire me to shore up their InfoSec department.

HDD encryption should be standard, but rotation of codes isn't necessary or practical. 1.) no mission critical systems should even be on the same network that can be connected easily to the internet. key word here is EASILY.2.) use of HDD encryption should be standard3.) all portable drives and even cell phones should be automatically encrypted4.) hell just use the linux thumb drive from the air force, they will support organizations for a fee, this way anybodies laptop can be used at any time but you still have a clean system each time, data would be kept at the servers in JPL or other NASA facilities, but (as said before) mission critical systems should not be sharing resources with internet capable networks. 5.) patch those systems withing 6 weeks of the patch coming out, I understand why some shops wait, the update could break things that are in common use in the world, never mind in-house programs BUT... timely updates doesn't mean instant updates.6.) double up on the mission critical system/networks as a hot backup, (or create a small substantially similar network/system that works as an analogue and can be a backup in case of primary failure), update the hot backup first, see if it works or what breaks, fix the breaks then patch the primary.

hell I could go on but some of these are relatively simple and don't create onerous demands on the scientists and engineers, they do require proper support for the IT dept and willingness to offload some of the work to trusted groups IN the government.

1. Proprietary/sensitive data should never be stored directly on laptops.2. Laptop hard drives need to be encrypted. You can do this for free easily with TrueCrypt. And I believe Windows 7 supports hard drive encryption out of the box as well now.3. The control codes should rotate with a multi-step authentication system.4. NASA should hire me to shore up their InfoSec department.

Number two contradicts number one. If a laptop is properly encrypted the one never has to worry about the hard drive falling into the wrong hands; even if the laptop gets stolen.

Outside of the nasa related story, a majority of issues relating to any proprietary information are caused in emails, use of WiFi in general, etc...

And about this article, I doubt some of the claims about the November 2011 attack on the Jet Propulsion Lab giving 'unauthorized users "full functional control" over the networks' and the ability to 'add, modify, or delete user accounts for "mission-critical" systems'. Perhaps the employee network but then this wouldn't fit the usage of "full functional control over the networks" nor "mission-critical". I haven't spoken to my friends, still at JPL, about this attack but I suspect the fltops network was not compromised.

I'm *at* JPL right now... And yes, what Gyrator says is correct. The fltops (Flight Operations) network is like the military's SIPRNET -- it's not connected to the outside, and would not have been compromised.

Laptops now are all Win 7 and encrypted. All thumbdrives, etc. are also supposed to be encrypted if carrying sensitive information. Things have changed...

For being smart as shit, they are dumb as hell. I wonder how many of their passwords are set to something like 1234567, Password, and probably even NASA since I doubt they implemented a minimum length requirement. I think its time to do a major overhaul of NASA instead of cutting back their budget/programs, or just tell them that they have to go private and lose all federal funding.

The Chinese are going to come out with something that is going to convince me that NASA ripped off the Chinese instead of the other way around with how much IP they are stealing. Give it a few years and it will happen.

Why should most of their data be encrypted? With the exception of a few things like HR information and passwords to systems/spacecraft, the majority of the data they handle should be public domain anyway. Deciding which information is important and protecting it well is shown to improve security over blanket rules that apply to mundane and sensitive information alike.

They should be take to task over the important stuff they didn't protect, but not over meaningless metrics like number of unencrypted devices.

Nice, at least one guy with the proper perspective. If you could really take control of, or render unavailable, the space station from a lost NASA laptop; then yes, they need to tighten that up. (I don't think for a second that's true)

But smothering real scientists trying to get work done with a new layer of bureaucratic IT will really help them, I'm sure..

Why should most of their data be encrypted? With the exception of a few things like HR information and passwords to systems/spacecraft, the majority of the data they handle should be public domain anyway. Deciding which information is important and protecting it well is shown to improve security over blanket rules that apply to mundane and sensitive information alike.

They should be take to task over the important stuff they didn't protect, but not over meaningless metrics like number of unencrypted devices.

Nice, at least one guy with the proper perspective. If you could really take control of, or render unavailable, the space station from a lost NASA laptop; then yes, they need to tighten that up. (I don't think for a second that's true)

But smothering real scientists trying to get work done with a new layer of bureaucratic IT will really help them, I'm sure..

That is the attitude that has created the illusion of security and saftey that you enjoy today. I am a network administrator for several Federal facilities. I have found this combative attitude all over my stations. Here is the real deal. There is no such thing as true security. There is always a way around or through. It is best practices and careful usage that protects. It is not another layer of bureaucratic it. It is user laziness to think this way. Do you know the procedure for logging onto an encrypted laptop? Let me show you. Power on your laptop. After the Bios boots an encryption logon screen will load up. Enter your username and password (follows pw complexity and regular refreshes of 30 days) continue booting up. Login to windows. That's it go about your day knowing that if you shut down your laptop as you are supposed to when finished with it no one can access that admin power point you have on it. Most of the data on laptops is so trivial it doesn't matter but the practices are still important. In case you goofed and brought the iss launch codes home with you on your toshiba satellite lol. 100% encryption just isn't that hard. No reason to not every reason to. Like seat belts in a car. Wont save you every time but could save you one time. That's reason enough.

And about this article, I doubt some of the claims about the November 2011 attack on the Jet Propulsion Lab giving 'unauthorized users "full functional control" over the networks' and the ability to 'add, modify, or delete user accounts for "mission-critical" systems'. Perhaps the employee network but then this wouldn't fit the usage of "full functional control over the networks" nor "mission-critical". I haven't spoken to my friends, still at JPL, about this attack but I suspect the fltops network was not compromised.

I'm *at* JPL right now... And yes, what Gyrator says is correct. The fltops (Flight Operations) network is like the military's SIPRNET -- it's not connected to the outside, and would not have been compromised.

Laptops now are all Win 7 and encrypted. All thumbdrives, etc. are also supposed to be encrypted if carrying sensitive information. Things have changed...

All through reading the article I couldn't help but think of this, having worked at a company that sold firewalls to an intelligence agency, it boggled my mind to think anyone would be insane enough not to segregate networks for things like fltops. Heck, I've seen a lot less sensitive stuff be put on segregated networks.

Edit: @ShyGuy13 Segregated networks(i.e. not connected to the outside world) are perfectly secure from a TI point of view. Sure you still need to handle premise security, but that's a whole different can of worms, and not IT's job.

Seems most interesting thing here is not what´s been written in the article but the underlying assumptions in the first place.

Is NASA a space science research and exploration organization funded by taxpayers for the common good.? Or is it a thinly veiled military wing of the US government, aimed at outdoing potential rivals for world power by exploiting space as a military battleground?

Because it if it is the former, then they shouldnt need "security" on their portable devices. They should be doing their best to GIVE AWAY information. In which case there is no news article to be written here.

The more I look at discussions of IT security, the more I suspect the entire field is a farce, in which elaborate policies are drawn up, only to be ignored or bypassed the instant they become inconvenient.

And about this article, I doubt some of the claims about the November 2011 attack on the Jet Propulsion Lab giving 'unauthorized users "full functional control" over the networks' and the ability to 'add, modify, or delete user accounts for "mission-critical" systems'. Perhaps the employee network but then this wouldn't fit the usage of "full functional control over the networks" nor "mission-critical". I haven't spoken to my friends, still at JPL, about this attack but I suspect the fltops network was not compromised.

I'm *at* JPL right now... And yes, what Gyrator says is correct. The fltops (Flight Operations) network is like the military's SIPRNET -- it's not connected to the outside, and would not have been compromised.

Laptops now are all Win 7 and encrypted. All thumbdrives, etc. are also supposed to be encrypted if carrying sensitive information. Things have changed...

All through reading the article I couldn't help but think of this, having worked at a company that sold firewalls to an intelligence agency, it boggled my mind to think anyone would be insane enough not to segregate networks for things like fltops. Heck, I've seen a lot less sensitive stuff be put on segregated networks.

Edit: @ShyGuy13 Segregated networks(i.e. not connected to the outside world) are perfectly secure from a TI point of view. Sure you still need to handle premise security, but that's a whole different can of worms, and not IT's job.

Joker most of these laptops aren't joined to a domain and are not used at work. They are used because we do not allow fed data on a personal pc. They are stand alone pc's used to continue work at home or make presentations. I don't even know why a segregated network applies to this discussion. Btw we do use segregated networks for different reasons the government is not retarded. We also use vlan's and multiple firewall techs and web filtering and all sort of other industry best practices. Nasa apparently does not but USDA does.

The more I look at discussions of IT security, the more I suspect the entire field is a farce, in which elaborate policies are drawn up, only to be ignored or bypassed the instant they become inconvenient.

The point of networks is to share information. The point of computer security is to keep people from getting information. They have opposing goals that must be balanced according to specific needs in each workplace and situation. Even with standard "best practices" that apply almost anywhere, there is a lot of tailoring that needs to be done depending on whether the network is set up for NASA or set up for an insurance agency. Lots of people commenting here do IT work in other environments, it seems.

Ziontrain wrote:

Seems most interesting thing here is not what´s been written in the article but the underlying assumptions in the first place.Is NASA a space science research and exploration organization funded by taxpayers for the common good.? Or is it a thinly veiled military wing of the US government, aimed at outdoing potential rivals for world power by exploiting space as a military battleground?Because it if it is the former, then they shouldnt need "security" on their portable devices. They should be doing their best to GIVE AWAY information. In which case there is no news article to be written here.

Even NASA is subject to federal laws restricting access to programs or hardware. Things like ITAR are meant to prevent some programs, equipment, or designs from leaving the US because of their potential military significance, even if they aren't being used for military purposes in the US. There's also the commonsense problem of giving away the means to control space hardware to just anybody, which could cause serious problems. Despite these inconveniences, I find that NASA is a highly open and accessible agency for the general public. Much of the information they produce is automatically public domain, and you can often get source code and data used in their scientific studies, not to mention the relevant scientific papers to use them, free from their websites.

Joker most of these laptops aren't joined to a domain and are not used at work. They are used because we do not allow fed data on a personal pc. They are stand alone pc's used to continue work at home or make presentations. I don't even know why a segregated network applies to this discussion. Btw we do use segregated networks for different reasons the government is not retarded. We also use vlan's and multiple firewall techs and web filtering and all sort of other industry best practices. Nasa apparently does not but USDA does.

The reason I bring up segregated networks is because the article mentions the ability of attackers to render mission critical systems unavailable, I can only see that happening if they have access to mission critical networks. The article also mentions "algorithms to command and control the ISS" and those would only be relevant if someone had a way to communicate with the ISS which presumably can only be done from NASA, so again it would require access to mission critical networks.

I don't think NASA(or the JPL) is stupid, my point was exactly the contrary. My point was that it seems the article is making overblown claims...

The point of networks is to share information. The point of computer security is to keep people from getting information. They have opposing goals that must be balanced according to specific needs in each workplace and situation.

Of course. The ideal outcome is that you work out what your threat models are, what's an acceptable level of risk, and implement policies that balance security and accessibility. But what I keep running across is arbitrary, draconian security policies on the one hand, and sometimes unspoken, sometimes overt efforts to bypass security measures on the other.

That is, on the one hand, you'll have a rule that all passwords must be twelve characters long, contain a mix of numbers, symbols, and letters of both cases, and that there must be no sharing of passwords. On the other, you'll have a manager tell you that the department policy is to use the password '12345GoNiners!!' for all accounts, so that there's no confusion.

In this case, 99% of devices unencrypted sounds bad -- except, what's gone wrong because of it? Is anyone actually trying to steal this data, and what would happen if they did?

A few days ago, I was reading up on flash drive encryption, which in itself looks like a mess. On Linux, the standard seems to be LUKS, which can in theory be decrypted on Windows using OTFE, which has one maintainer, hasn't been updated in a few years, and which can't readily be installed on 64-bit Windows 7 because of its use of unsigned drivers. Microsoft recommends Bitlocker, which you can only get by shelling out an extra $100 for Windows Ultimate -- which is at least irritating. But of course, everyone actually uses Truecrypt, which is nominally open source, but isn't in Fedora's repositories, because, according to Red Hat's lawyers, the unique license for Truecrypt apparently gives the copyright holders an unrestricted right to sue anyone who actually uses the software, and the people behind Truecrypt won't negotiate.

The upshot of all that is, while I see full disk encryption suggested as a best practice no-brainer, it actually looks to me like a mess.